A brief DMARC primer

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. What DMARC does is allow domain owners to publish policy statements in DNS telling receiver domains what to do with messages that do not authenticate. In addition, DMARC introduces the concept of “domain alignment.” What this means is that the authentication has to be from the same domain (or a sub-domain) as the address in the header-from: line. The idea behind DMARC is that organizational owners can use SPF and DKIM authentication to authenticate their actual domain in the header-from line. This moves authentication from a important but behind the scenes technology out to an end user visible technology.

What does alignment mean?

Alignment means that the authenticating domain is related to the domain in the header-from address. There are two kinds of alignment: strict and relaxed. Strict alignment means that the domains are identical, relaxed alignment  means that the domains are subdomains of one another.
It’s probably easiest to look at example  headers.
In this example we can see a few different things. Visible headers shown in the mail DKIM-alignedclient are in black, headers not normally shown in the client are shown in blue. Highlighted we have the header-from address and the d= value. Both these values are identical, meaning the message passes DMARC with strict alignment. If the header-from was and that would pass DMARC with relaxed alignment.

Shouldn’t all mail align?

Not necessarily. In this other example, we see a header-from of but authentication coming from Constant Contact. DKIM-not-aligned Perfectly legitimate use of the email address in a newsletter, but there is no DMARC alignment as is. Could they create a DMARC alignment? Sure, by signing with a or by publishing a SPF text record containing Constant Contact’s IP addresses. But there’s not a lot of reason to do that as far as I can see.

Why bring this up now?

Yahoo has recently started publishing a DMARC record with p=reject. This means ISPs checking DMARC records (like yahoo, hotmail, and gmail) and following p= recommendations are now bouncing mail from addresses that is not sent through Yahoo servers (SPF alignment) or signed with a Yahoo DKIM key (DKIM alignment). This means any mail from Yahoo users not using the Yahoo SMTP servers directly. This is affecting a couple different kinds of Yahoo users, making mail bounce.

Why would Yahoo do this?

There’s been an ongoing attack against Yahoo users attempting to compromise their accounts and then send email from that Yahoo user to their contacts. Yahoo has managed to block this spam coming out through Yahoo’s servers. The attackers have modified their attacks and are now sending mail from Yahoo users to their contacts through other servers. By publishing a p=reject record, Yahoo is telling other systems to not accept mail from Yahoo users if it doesn’t come through Yahoo controlled servers. This includes the mail from the attackers, but also mail from regular Yahoo users that use another SMTP server, including bulk mail sent through ESPs, and individual mail sent to mailing lists.

Will Yahoo change their DMARC record back?

It’s unclear. One of the other features of DMARC is that receivers can report back to senders when there is an authentication failure. Yahoo has these reports so they know exactly how much email is affected by this setting of p=reject. It could be this is a temporary measure until the attackers move on. But this may be a longer term setting because the attacks may be ongoing.

Can I just tell someone to whitelist my mail?

No. This is not an actual block. Mail is being rejected because Yahoo is saying that other companies should reject mail from addresses that doesn’t come from Yahoo’s servers.

This breaks everything! Who can fix this?

The only people who can change this are Yahoo, no one else is responsible for this. The correct place to complain is support@yahoo. Gmail, Hotmail, anyone else following DMARC, nor the folks at can help you. You need to talk to Yahoo.

What can I do to send mail?

Right now the only way to send mail from addresses to domains checking DMARC is to send mail using the Yahoo SMTP servers. You can do this by using the web interface, or by using the Yahoo SMTP server to send outbound mail. The only real fix for bulk mail through an ESP is to change your header-from address to something that isn’t Yahoo. I’d also suggest avoiding other free mail domains (like gmail and hotmail).


  1. Tobias Herkula says

    Are you saying that it’s Yahoo’s fault, if something breaks now? If somebody uses a domain that does not belongs to them, why would the domain owner be responsible if something breaks?

    1. laura says

      What I’m saying is that many people use Yahoo email addresses legitimately, without using the Yahoo outbound mail servers. Yahoo publishing a p=reject breaks those uses.
      If, for instance, Yahoo had previously published a TOS that says ‘the only mail you can send with has to be sent through our interface’ that would be one thing. This change just enforces that bit of the TOS. But that’s not what yahoo has done. Instead, they started publishing a policy that is going to break a lot of things for their users. Yes, ESP mail is one of them, but mailing list mail is another.
      For Yahoo (and other mailbox providers) there’s never before been the idea that you HAVE to use that email address only to send mail through that mailbox provider. This is really a change in how Yahoo expects their users to use email and I’m not sure it’s a good choice.

  2. Eric S. Smith says

    Spammers ruin everything. These days, we have to assume that mail claiming to come from Yahoo that’s not originating from a Yahoo server is forged spam.

  3. Roberta Cottrell says

    I’m totally confused. Does this mean that the email I thought I was sending from Mad Mimi is actually going through my Yahoo?

  4. Mohammed Ahmed says

    Just an fyi…We just checked and it seems to me that problem is only with address but not with ymail, rocketmail etc.

    1. laura says

      Yup, it is only that has the p=reject message. Other yahoo domains (including some of the regional ones) still have p=none.

  5. What Yahoo's new DMARC Validation Changes Mean for Email Marketers - Mad Mimi Email Marketing Blog says

    […] Word to the Wise has a fantastic and in-depth article about this, right here. […]

  6. Using Yahoo? New Changes Will Impact Your Email Deliverability says

    […] to WordToTheWise, “there’s been an ongoing attack against Yahoo users attempting to compromise their accounts […]

  7. Don’t use a Yahoo email address as your “From” | ActiveCampaign Email Marketing Blog says

    […] Learn more about DMARC and the Yahoo changes […]

  8. Ray Novak says

    My thought was to modify my ‘from’ header to look like this:
    From: “Joe Blow (”
    So the real ‘from’ is my domain, but the name for display in the mail client ui shows the name and email for the message author. Do you suppose this would work?

  9. Email Senders Stymied By Yahoo's Adoption Of Anti-Spoofing Measure says

    […] used with permission of Laura Tessmer Atkins, co-founder of the Word To The Wise email consulting […]

  10. Want to Get Your Emails Delivered? Fix This Today - SkyOffice Consulting | SkyOffice Consulting says

    […] you want the technical details, there’s a great post at Word to the Wise about DMARC, what exactly changed, and what it means for […]

  11. ERIN says

    I am so befuddled. I use the (Telstra) Bigpond service for my email. I use Outlook set with in as and out as I am unable to send anything successfully now with everything coming back with the error talked about. I use a Yahoo email address. Does this mean that I would have to use Tahoo as out server for it to work? I (stupid) don’t understand how that would function if my mail service is Bigpond? Sorry but apart from my ever growing dismay at Yahoo I don’t really understand this and in the end does it mean I cannot use Yahoo with Bigpond ?
    Desperate Dan of Australia
    PS : I have “tried” to communicate with Yahoo – ho hum

    1. laura says

      If you set your out mail server as with your Yahoo credentials that should fix the problem. If you’re using a email address, then you must use Yahoo’s outbound server in order for DMARC to align and for the receiving servers not to reject the mail.
      The other alternative is to stop using Yahoo as your email address.

  12. Craig Spiezle says

    Thanks for providing insight. While DMARC is very simple, we continue to see alignment issues. Second it is perplexing to see how few of the top 1,000 consumer brands are not authenticating at the TLD vs delegate sub domains. This does little to protect consumers. Join OTA and instructors from Agari and ReturnPath on April 29 in Wash DC for a full-day training. More info at

  13. Yahoo Changes May Affect Your Deliverability - SkyOffice Consulting | SkyOffice Consulting says

    […] Why is this happening? In an attempt to stop fraudulent emails, Yahoo changed its DMARC authentication policy to reject emails that claim to come from but actually originate at non-Yahoo servers. For more information on the DMARC authentication protocol, check out this DMARC primer from Laura Atkins at Word to the Wise. […]

  14. Changes to Yahoo email and email marketing effects says

    […] Click here for a brief DMARC primer […]

  15. Bill Watkins says

    In checking for latest updates I see an April 8th update from Yahoo at:
    The latest authentication test that Yahoo has incorporated, DMARC, performs the following checks:
    “From” address should map to the same signing domain
    Mail from a domain should match the domain in the “From” header
    Here’s an example of a DMARC record:
    v=DMARC1; p=quarantine; sp=reject;
    In this example, Yahoo will quarantine emails that fail DKIM and SPF for, and similar emails for sub-domains from will be rejected. The aggregate report will be mailed to
    There current post shows a ‘P=quarantine’ and not the previous ‘p=reject’
    Is this a change/update from their previous stance with this past weekend ‘reject’ update ?
    Best Regards,
    Bill Watkins-
    Application Analyst
    ScholarOne – Thomson Reuters
    Charlottesville, Virginia

    1. laura says

      I just checked here and they are currently publishing a p=reject. I’m guessing their website is outdated.
      Wait. I just re-read your comment. That website is just explaining what a DMARC record is. That’s not actually Yahoo’s record. Yahoo’s record looks like this:
      $ dig TXT
      ;; ANSWER SECTION: 1268 IN TXT “v=DMARC1\; p=reject\; sp=none\; pct=100\;,\;”
      ;; Query time: 5 msec
      ;; SERVER:
      ;; WHEN: Thu Apr 10 14:20:00 2014
      ;; MSG SIZE rcvd: 360

      1. Bill Watkins says

        Thanks Laura,
        I just checked also and still saw the p=reject. Wishing it wasn’t true however.
        Best Regards,
        Bill Watkins –

  16. How To Fix Your Email Delivery Problem | Sigan Corporation says

    […] you want the technical details, there’s a great post at Word to the Wise about DMARC, what exactly changed, and what it means for […]

  17. Dutchstartupblog: All startups from Holland in one map says

    […] Why is this happening? In an attempt to stop fraudulent emails, Yahoo changed its DMARC authentication policy to reject emails that claim to come from but actually originate at non-Yahoo servers. For more information on the DMARC authentication protocol, check out this DMARC primer from Laura Atkins at Word to the Wise. […]

  18. Sherrick Murdoff says

    This enormous pain, and the severe lack of communication, has caused me to drop Yahoo after 15 yrs. Way to go Yahoo.

  19. charlene says

    Well this just stinks and I knew this day would come! Wish I had already switched over to my own email address.

  20. Lyle Brooks says

    This policy is a huge LOSER!!!
    I run a few mailing lists and it breaks everything. Not only does it block any posting from Yahoo users to anyone else….but then it creates hundreds of bounce messages back to the server. These same Yahoo users don’t see their postings….and not knowing why….they post again, which gets blocked….and generates still more bounces.
    After so many bounces the mailing list software thinks these subscribers are stale, so it starts to unsubscribe not just the Yahoo users, but also most of the other users who have accounts on DMARC compliant servers.
    This is one of the most amazing self-inflicted Denial-Of-Service attacks one can witness.

  21. Tim McGraw says

    I just ran up against this as a Comcast customer who operates some email lists, and while I believe it is fine for free email providers to apply whatever rules they wish on their servers, I *pay* Comcast for email service and I have had some complaints from correspondents that their emails have been rejected with DMARC error codes.
    Comcast doesn’t even publish a DMARC record ( and specifies 12 authorized netblocks for SPF when the maximum allowed is 10 ( How is this even close to best practices?
    If I want to receive all my messages, I feel that it’s not Comcast business to decide what I can receive. What’s next, blocking phone calls?

  22. j j toydemir says

    I have a yahoo mailbox and it’s caused me to pull my flaming hair out on many occasions Yes, there is a Yahoo support (fyi it is outsourced). A couple months ago, they dumped and blocked all my outgoing mail I contacted them (short version) and they wanted me to pay $199.00 to fix their problem. Further, they shortly thereafter began daily filling my “spam” with an amazing 100-200 emails. And, believe me, those emails were sure tommy-rot!
    Thank you for Word to the Wise and you can be sure I am more than willing to share this information I’ve read here.

  23. Rick says

    Very good post.
    Won’t this cause spammers to switch their forged From addresses to gmail, hotmail, etc. – and therefore cause the other leading email providers to also invoke DMARC?

  24. Sending From a Web-Hosted Email Address May Bounce Your Email Marketing, Web Inquiries | Sally U: Business, Marketing, Tech & Social Media says

    […] emails. This is due to a new Domain-based Message Authentication, Reporting and Conformance or “DMARC” authentication policy these mail receivers […]

  25. Jacob says

    When I logged on to Yahoo mail that should be considered sending email from Yahoo server, isn’t it? So why email to some Gmail addresses are delivered but others are rejected with DMARC message (also Gmail adresses)? How do I solve this problem?

    1. laura says

      You should contact Yahoo support to troubleshoot the problem. There’s nothing any of us can actually do to help you.

  26. Dave says

    This has very suddenly become a real problem with mailing lists. I’m not directly affected (as a sender) because I have my own domain and leave it as unrestricted as possible (because like Tim, above, I want the decisions to be mine, not of some robot with no brain).
    Nevertheless, I suspect I’m not receiving some mail from mailing lists because of this issue. In fact, it was brought to my attention by the administrator of one such list. It would be nice if someone would publish — in plain English — what mailing list administrators need to do. Speaking as a user, I want to see who originated a message, not that it’s coming from a certain list server (which I can usually see already in the subject line). I happen to have a technical background, but reading the site has my head spinning!

    1. laura says is where I’d suggest you go for info about what list managers need to do.

  27. All About DMARC & How it Affects Your Deliverability - Dasheroo says

    […] Also check out this great Word to the Wise breakdown.  […]

  28. Larry says

    I currently forward all my email that is received by another mail server. I use a feature they provide called forwarding email. There is no selecting which email can or cannot be forwards. So when I receive eamail from AOL and try to forward it fails and appears on their end that the email is not delivered. The email has the orginating email address from AOL in the forwarding sending address. How am I to correct this problem.

    1. laura says

      You can’t fix this, it’s a policy decision by AOL and Yahoo! to prevent this kind of forwarding.

  29. Joe says

    Laura, thanks for the great write-up on DMARC. We just ran into this issue with a new feature we rolled out to our members. Your article helped us quickly get to the root cause.

  30. Luke says

    Hi, I use Optus as an ISP. They will not allow you to use a Yahoo SMTP. You must configure the pop to be yahoo and the smtp to be Optus, other the ISP stops the email from being sent. Does this mean that if I continue to do this yahoo will stop my mail?So my ISP stops it without the ISP smtp and yahoo stops with out their smtp, if affect this means I can no longer use yahoo accounts.

  31. Want to Get Your Emails Delivered? Fix This Today | Email Marketing Tips says

    […] you want the technical details, there’s a great post at Word to the Wise about DMARC, what exactly changed, and what it means for […]

  32. Judy Harvey says

    what email do you suggest using to avoid this problem? I am ready to leave Yahoo…

  33. Ja sūti e-pastus no publiskiem domēniem, ievēro DMARC politiku says

    […] izsūti e-pasta kampaņas no privātā domēna un esi ieviesis DMARC politiku savam domēnam, iesaku autentificēt savu domēnu un izsūtīt e-pasta mārketinga […]

  34. If You Send Emails from Public Domains, Agree with the DMARC Policy - Email Marketing Blog | Email Marketing Tips & News| Mailigen says

    […] you send emails from your company domain and have implemented the DMARC policy, we suggest you to authenticate your private domain before sending emails from the Mailigen […]

  35. Who’s it From? Five Questions to Ask to Increase Email Opens. says

    […] DMARC stands for “Domain-based Message Authentication, Reporting & Conformance” and is a policy that is being implemented globally on the good ol’ world wide web to reduce spam and phishing schemes.  In order to reduce spam and email abuse, soon all the major ISPs (internet service providers) will stop delivering emails from,, and other free domain email addresses unless they are sent directly from an AOL, Yahoo, or Gmail account. […]

  36. Want to Get Your Emails Delivered? Fix This Today - Onlive Infotech says

    […] you want the technical details, there’s a great post at Word to the Wise about DMARC, what exactly changed, and what it means for […]

  37. Authentication Changes at Yahoo! Impact Email Marketing | VR Marketing Blog says

    […] Authentication, Reporting and Conformance (DMARC) validation (here’s a good description of DMARC.) Basically, if your From email address doesn’t match the sender address from the mail server, […]

  38. Bill Watkins says

    I would like to run something past, but do not think a solution is within our grasp. We have set DAMRC records for ‘’ & to P=Reject. We see Forwards on recipient server accounts to GMAIL. eg:
    : host[] said: 550-5.7.1 Unauthenticated email from is not accepted due 550-5.7.1 to domain’s DMARC policy. Please contact administrator of manuscriptc 550-5.7.1 domain if this was a legitimate mail. Please visit 550-5.7.1 to learn about DMARC 550 5.7.1 initiative. 69si5309482qhp.41 – gsmtp (in reply to end of DATA
    Final-Recipient: rfc822;
    Original-Recipient: rfc822;
    Action: failed Status: 5.7.1
    The originating email to rfc822; was successfully delivered to the recipient at and the recipients email account on contains a forward to his GMail account which is out of our control. Gmail is ‘seeing’ the originating server as ‘’ but also sees in the Forward the original recipient as rfc822; thus the mismatch.
    We know the Forward from the University account is out of our hands but can anything in our DMARC records be tweaked to take these forwards into account or can anything be tweaked in our header structures to address these forwards ?
    Bill Watkins –

    1. laura says

      Hi, Bill,
      About the only thing you can do is sign with an aligning d= ( or respectively) and hope that the university isn’t doing any modification during the forward so the DKIM signature is valid and aligned.
      If the forwarded mail is really important, and you can’t DKIM sign (or the university is doing some body modification that breaks the DKIM signature) then you’ll need to step back to a p=quarantine or p=none.
      This is DMARC working as designed. Some people think that email is not, yet, in a place where every domain should be using p=reject by default. This is one of the examples of why those people think that way.

  39. Christine Yelich Roberts says

    Im not sure what to do. Not sure it is wise to change my biz email right now. I’ve had that yahoo adress for over 16 years. I think I’ll wait and check mail chimp out later. I’ll send out this months announcements in batches from yahoo, like I’ve done for years. But I’m interested in finding out how to get around this in the future.

  40. Abhi says

    Not sure how this happened, but there is a link to an online gambling site in the middle of your post:
    In the section Why bring this up now?
    This means mail from Yahoo users not using the online slots for real money Yahoo outbound SMTP servers

    1. laura says

      Weird. It’s not in the post draft window, although I can see it in web inspector. I republished the page and it seems to be gone now.
      Thanks for the notice.

  41. Gravity forms – Notification Issues | Ari Salomon: WordPress Expert says

    […] of email anti-spam consultancy firm Word to the Wise based in Palo Alto, California, also confirmed and documented the issue in a blog post. She believes that Yahoo began advertising a “reject” policy because of a recent attack against […]

  42. Yahoo's Use of DMARC Makes it Harder for Email Marketers says

    […] Yahoo users have been attacked by spammers, and Yahoo has been in the media quite a bit in regard to an attack where many email addresses were compromised. In an effort to protect their end users, they put this DMARC policy in place.  If you want the deep details, check this Monday, April 7 blog post from Laura Atkins, industry expert and co-founder of Word to the Wise: […]

  43. Gravity forms – Notification Issues | says

    […] of email anti-spam consultancy firm Word to the Wise based in Palo Alto, California, also confirmed and documented the issue in a blog post. She believes that Yahoo began advertising a “reject” policy because of a recent attack against […]


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Comments